10 Cloud Security Best Practices You Don't Want To Skip
Best Practices
As more companies make the jump to the cloud, the importance of building strong cloud security operations grows. Just as with any industry, implementing the technologies with industry best practices will help yield the best result in the long term. As part of Cloud Security Week, CRN asked security experts what they see as the most important best practices in the growing market for cloud security offerings. Take a look at what they had to say.
1. Deploy Identity And Access Management
No matter what cloud security measures are in place, without identity and access management solutions a company has a huge hole in its security portfolio, experts agreed. Chenxi Wang, vice president of cloud security and strategy at CipherCloud, said these solutions have to be integrated with the organization and continuously updated as employee turnover occurs. That integration is often missed, she said, opening the door to insider threats.
Bill Lucchini, senior vice president and general manager of Sophos Cloud, agreed.
"You want to look at employee controls for sure," Lucchini said. "A lot of these breaches happen because of one disgruntled employee or one not-careful employee."
2. Classify Data
Solution providers need to help their customers sort out data classification levels and, from there, determine what level of data protection they will employ in the cloud, CipherCloud's Wang said. Companies are just beginning to recognize the importance of this practice, Wang said, and are starting to make strategic decisions about their data protection policies.
"The cloud doesn't know. The cloud operations won't know your business processes, your priorities, so it doesn't know what's important and what's not," Wang said. "You have to be the one who specifies the data at criticality levels."
3. Create Visibility For Policy Control
To have strong policy control in the cloud, companies need to make sure they have complete visibility, CipherCloud's Wang said. As a best practice, that includes knowing what assets are in the cloud, what data is being sent to which application and who is using what data. Having that visibility helps prevent "blind spots" with threat detection as well as preventing insider threats, she said, adding that there are plenty of tools on the market to help a company gain that visibility into its cloud operations.
4. Provide Regular Auditing
While everyone tries to do their best with security, it's hard not to miss the forest for the trees, Sophos' Lucchini said. For that reason, Lucchini recommended solution providers conduct regular cloud security audits as a best practice to find security holes for their customers.
"It's really enlightening," Lucchini said. "It's worth doing periodically ... just getting an outside expert is a big help."
5. Shared Responsibility Model
Many security experts spoke of the shared responsibility model of the cloud, where clients and cloud providers have responsibilities for different aspects of security. As he sees it, Dave Abramowitz, Trend Micro technical adviser, said cloud providers are responsible for the security of the hardware and physical infrastructure, while customers are responsible for securing the OS and applications. Solution providers have to educate customers on where the cloud provider's security responsibilities end and plug any security holes left uncovered. For solution providers, making sure clients are on board and understand that shared responsibility model is a best practice, he said.
6. Advocate For Stronger Password Protection
Having strong passwords is an important best practice in general, but especially important in the cloud, Trustwave Vice President of Managed Security Testing Charles Henderson said. On a basic level, that means training employees to choose strong passwords, with more than 10 characters, multiple words and symbols, he said. On top of that, Henderson recommended clients implement two-factor authentication solutions to make it more difficult for attackers to gain control of an account.
7. Choose A Cloud Vendor With A Solid Track Record
While it might seem simple, an important best practice of cloud security is choosing a vendor with a solid track record for security, said Sam Heard, president of Data Integrity Services, a solution provider based in Lakeland, Fla. So far, few of the mega data breaches have targeted cloud providers, but it is still vitally important to fully evaluate what they bring to the table and how those offerings have performed in the past for other clients, he said.
8. Secondary Internet Pipe
For clients with mission-critical applications in the cloud, Data Integrity Services' Heard said he recommends deploying dual Internet pipes as a best practice, one for running applications in the cloud and the other for regular Internet traffic. While much more expensive, Heard said utilizing two different Internet connections cuts any slowdown in accessing applications in the cloud and helps prevent critical application downtime in the case of a WAN issue.
9. Perform Penetration Tests On Ecosystem Partners
One emerging best practice is doing penetration tests on any partners clients work with, including contractors, manufacturers and anyone who the company communicates with and does business with on a regular basis, said Trend Micro's Abramowitz. A company can do everything to protect itself, he said, but if its ecosystem partners aren't doing the same there is an opening for an attack. While not every company does this today, Abramowitz said he sees it happening more and more in the market.
10. Don't Forget To Monitor Threat Detection Technology
While having threat detection technologies in place is an obvious security best practice, Trustwave's Henderson said companies need to make sure they have enough resources and expertise in monitoring traffic to back up the technologies. The faster a breach is detected, the faster it can be contained. However, Henderson said most organizations today are falling short in implementing threat detection best practices, citing data from the 2015 Trustwave Global Security report, which found an average 14.5 days from intrusion to containment when detected internally and an average 154 days when discovered by an external party.